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ABOUT THE CYRC AND THE 2021 
OPEN SOURCE SECURITY AND RISK 
ANALYSIS REPORT 


The Synopsys Cybersecurity Research Centers 
(CyRC) mission is to publish security advisories and 
research to help organizations better develop and 
consume secure, high-quality software. Our most 
recent security and software quality reports include 
“Peril in a Pandemic: The State of Mobile Application 
Security, an analysis of the most popular Android 
apps used during the COVID-19 pandemic; and 
“DevSecOps Practices and Open Source Management 
in 2020," a survey of software professionals on open 
source management and DevSecOps. 


This research, the CyRC’s annual “Open Source 
Security and Risk Analysis” (OSSRA) report, provides 
an in-depth snapshot of the current state of open 
source security, compliance, licensing, and code 
quality risk in commercial software. 


For over 17 years, security, development, and legal 
teams around the globe have relied on Black Duck® 
software composition analysis (SCA) solutions and 


Audit Services. Our SCA solutions help organizations 
identify and track open source code and automate 
the enforcement of open source policies through 
integration with currently used DevOps tools and 
processes. Our Audit Services team conducts 

audits on thousands of codebases for customers 
each year, both to support merger and acquisition 
(M&A) transactions and to provide customers with 

a comprehensive, up-to-date Bill of Materials of the 
open source, third-party code, web services, and APIs 
used in their applications. 


The audit data is cross-referenced with the Black 
Duck KnowledgeBase™ to identify potential license 
compliance and security risks as well as other factors 
that may affect the overall codebase. Curated by the 
CyRC, the KnowledgeBase houses data on millions 

of open source libraries from over 24,000 forges and 
repositories. 


Audits are the primary source of data for the 2021 
OSSRA report. Additional data used in the report 
(specifically in the “Parallels between the ‘State of 
Mobile Application Security’ and OSSRA reports’ 
section and the conclusion) comes from Black 
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Duck Binary Analyses and Coverity Scan®. The 

2020 audit data analysis used in this report was 
conducted by the CyRC’s Belfast and Boston teams. 
In addition to validating data used in the OSSRA, the 
Belfast team's work forms the basis of Black Duck 
Security Advisories (BDSAs), which offer enhanced 
vulnerability information that the team publishes as a 
service to commercial Black Duck customers. 


This year, the CyRC teams examined anonymized 
audit findings from over 1,500 commercial 
codebases in 17 industries. You need look no 
further than the pages of this report to see that 
open source libraries are the foundation for literally 
every application in every industry. But paralleling 
the popularity of open source is a growth in risk— 
specifically around open source licensing, security, 
code quality, and maintenance. 


This sixth edition of our report, the 2021 OSSRA, 
includes recommendations to help open source 
developers and consumers better understand the 
software ecosystem they are part of, as well as 
the risks that come with unmanaged open source 
development and use. 
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Codebase 


The code and associated libraries that make up 
an application or service. 


Binary analysis 

A type of static analysis that examines the 
software of an application when access to the 
source code isn't possible. 


Black Duck Security Advisory (BDSA) 


A classification of open source vulnerabilities 
identified by the CyRC security research team. 
BDSAs provide Synopsys customers with 
¥e] Ware are) Ae) mes16) 0) e)(=)aal=laie-lmalelaiiler-lale)ame)me) e\-19 
source vulnerabilities and upgrade/patch 
guidance. 


Software library 


Prewritten code that developers can add to 
their software. A software library might be 

a utility, such as a calendar function, or a 
comprehensive software framework supporting 
an entire application. 


Dependency 


A software library becomes a dependency 
when other software uses it—that is, when 
software becomes dependent on that library. 
Na Wie] N=) airs] ©) ) i (ex 1u(e) ame) mrsy=) avd (ex pals Wa ale hs) 
many dependencies, which themselves may be 
dependent on other libraries. 


TERMINOLOGY USED IN THIS REPORT 


Open source license 


yANESY=) mo) in (=) ¢galswr-] ale mere) alelia(o)arsmcie>lal gem =)plemUrs\=16 
obligations when an open source library is 
used in software, including how the library may 
be used and redistributed. Most open source 
Nfot=\atsy=\swure]] falco me)al=me) mance mer-1¢-16(0]e(-1s 


¢ Permissive license 


A permissive license allows use with few 
restrictions. Generally, the main requirement 
of this type of license is to include 
1g] ole it(e)pmeymdat= me) ste] lar-] meee (-mcomtat-me) ale |lare) 
(o{=\V/=) (0) 8\-1 6% 


¢ Copyleft license 


This type of license generally includes a 
iKcYol] 8) oles invme) 0) i(er- ha (ela mcie-leialemear-imanreyeliirexe 
and extended versions are released under 
the same terms and conditions as the 

(o) de] aks] mexere(-Mm Oxo) aalaat=igeir-1-)aled(osowr-l com Wie 1 87 
of including open source with copyleft 
licenses in their software, as its use can call 
the overall codebase’s intellectual property 
(IP) into question. 


2021 OPEN SOURCE SECURIT ¥ ANDERISK ANAIEY Sl Sane Oe nals| OVAOVAIESS ANIC] toh As INC. = 


Bill of Materials (BOM) 


A comprehensive inventory of the open source 
dependencies in a codebase, often generated 
by a software composition analysis tool. A BOM 
lists all the open source, associated licenses, 
versions in use, download locations for 
libraries/dependencies, and subdependencies 
the dependencies link to. 


Software composition analysis (SCA) 


A type of application security tool used to 
automate the process of open source software 
management. SCA tools identify the open 
source used in a codebase, provide risk 
inar-Var=\e(=)ani-1alar-lacem palia(er-ldce)ama-rere)aalaal=\aler-lale) arse 
re alolm of-1 ace) nam l(ex-latsxsmere)aa]®)it-lalexcm\c-) a liler-1e(e lap 


Static analysis 


Also referred to as static application security 
testing (SAST), automated static analysis is 
UEX=re Mom (o(=\pidiavmerere lave Mits\iAMUlaallamacealaelalaliare] 
(static) code. Static analysis is an important 
part of the software development life cycle 

(SB) EO) -Tato le smerelaalante)al hmelsy-10M ©)’ naleysi mcLoy ANNE 1K) 
development teams. 
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OPEN SOURCE VULNERABILITIES 
AND SECURITY 


A full 84% of the 1,500+ codebases Black Duck 
Audit Services audited in 2020 contained at least 
one public open source vulnerability—a 9% increase 
from the 75% of 2019 and the second-highest 
increase seen since 2017. Similarly, the percentage 
of codebases containing high-risk open source 
vulnerabilities increased to 60% in 2020, a dramatic 
11% increase from the 49% of the 2019 audits. 
“High-risk” indicates that a vulnerability has been 
actively exploited, has documented proof-of-concept 
exploits, or has been classified as a remote code 
execution vulnerability. Several of the top 10 open 
source vulnerabilities that were found in codebases 
in 2019 reappeared in the 2020 audits, all with 
significant percentage increases. 


Vulnerabilities in Codebases 





Percentage of codebases 
containing at least one vulnerability 
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PARALLELS BETWEEN 
THE ‘STATE OF MOBILE 
APPLICATION SECURITY’ 
AND OSSRA REPORTS 


The OSSRA results parallel the findings of the 
CyRC’s 2021 “Peril in a Pandemic: State of Mobile 
Application Security” report. For that report, CyRC 
researchers used binary analysis to scan over 3,000 
(o) i va{=manteysyem ole) 0)0)¢-1ay-V ale] ge)(omr-]0)e)|(er-1a(elalom lamar 
(CToYoye) (<M mak-\Vare) (0) €-mm ON =) mcloh Me) mm laleysx-ur-] 0) 8) I [ere] ile) als 
contained open source—and 63% contained 
vulnerable open source libraries. Nearly half of the 
open source vulnerabilities found in that report were 
Ke (vai aiatcvemr-komalle|amatsL.e 


The “Peril in a Pandemic: State of Mobile 
Application Security” report shows the clear impact 
14g1=m@10)¥41DEu bo ox-Vale(=1pn](omar-lomar-(eme)amual-me co) ane 

of app downloads, as well as a corresponding 
likelihood that open source vulnerabilities are 
present in those apps. Similarly, the number of 
open source vulnerabilities increased in the audits 
reported in the 2021 OSSRA, and that increase is 
r=¥sy of =1ou f= 1) NV ©) Ke) alele) alexcve mV arcvam (ele) diavem-lmlalelelsiiay 
breakdowns. 
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Despite lockdowns and work-from-home policies, 
businesses still need to seek prospects, close deals, 
communicate with and support customers—all of 
which engendered a significant increase in the use 
of customer relationship technologies during 2020. 
Veeva Systems, a cloud computing company serving 
the healthcare sector, noted that it experienced 

10 times more usage of its customer relationship 
management products during the pandemic.' The 
videoconferencing company Zoom emerged as 

one of the corporate success stories of 2020, as 
video meetings became an essential part of work 
and school. And retailer L.L. Bean saw its best 
revenue growth since 2011 and added 1 million new 
customers thanks to two hot retail segments fueled 
by the pandemic—comfort clothing and outdoor 
gear.” 


The OSSRA data notes that 100% of the companies 
audited in the marketing tech category—which 
includes lead-generation, CRM, and social media— 
contained open source in their codebases. Ninety- 
five percent of the marketing tech codebases also 
contained open source vulnerabilities. Seventy-one 
percent of the audited retail and e-commerce 
codebases contained vulnerabilities. Both the 
financial services/fintech and the healthcare 
industry sectors had codebases with open source 


Percentage of Codebases With Open Source Vulnerabilities =O 2020 
=| 2019 
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The top 10 vulnerabilities 


Several of the top 10 open source vulnerabilities— 
including one that is a high-risk vulnerability— 
appearing in the 2019 codebases reappeared in 

the 2020 audits, some with significant increases in 
percentages. CVE-2019-10744, a lodash vulnerability 
rated by the National Vulnerability Database (NVD) 
as “critical” and affecting all versions of the popular 
JavaScript library prior to 4.17.12, appeared in 29% 
of both years’ codebase audits. 


Development teams appear to be struggling with 
the dynamic nature of open source security risk, 
especially with the increase in open source use. An 
open source library with no vulnerabilities doesnt 
necessarily stay that way a year or a month— 
sometimes not even a week—later. Access to reliable 
and diverse sources of vulnerability data is critical to 
staying atop of open source risk. Ideally, vulnerability 
information should be pushed to developer or 
security teams via the alert systems they already 
use, such as email, Slack, and Microsoft Teams. 


Percentage of Codebases With Top 10 CVEs/BDSAs 
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*BDSA-2014-0063 is a high-severity vulnerability in which jQuery is vulnerable to cross-site scripting (XSS) due to lack of 


validation of user-supplied input. A fix is available. 


“BDSA- 2015-0567 affects all jQuery versions that use an unpatched UglifyJS parser, opening them to arbitrary code 


execution through crafted JavaScript files. A fix is available. 
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It's also possible that the knowledge that the 
codebase was dependent on a vulnerable open 
source library was buried somewhere inside the 
collective memory of the development team— 
possibly forgotten, possibly not documented at all. 
To fix an open source vulnerability, you first have to 
know the vulnerability is there. Pinpointing vulnerable 
open source depends on identifying and inventorying 
all open source you're using. 


Most applications are dependent on hundreds 
of open source libraries—the average number of 
libraries found in the 2020 audits was 528 per 
codebase. An open source inventory or Bill of 
Materials automatically generated by a software 
composition analysis tool can provide the 
comprehensive information needed to address 
security risk. 
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OPEN SOURCE LICENSING 


Black Duck Audit Services found that 65% of the 
2020 audited codebases contained open source with 
license conflicts, a slight decrease from 2019. Nearly 
three-quarters of the codebases with a license 
conflict were specifically in conflict with one version 
or another of the GNU General Public License. 


Twenty-six percent of the codebases were found 

to be using open source with no license or a 
customized license. Codebases with customized 
open source licenses need to be evaluated for 
possible IP and other legal issues. The JSON license, 
for example, essentially uses the permissive MIT 
license with the addition, “The Software shall be 
used for Good, not Evil.” Owners of many popular 
projects—notably, Apache Foundation projects—have 
removed code using the JSON license because of 
the license's ambiguity; that is, although “software” is 
a defined term, “good” and “evil” are open to arguable 
interpretation. 


Codebases that include open source dependencies 
with no discernable license also may require 

a decision about whether to replace those 
dependencies altogether. 


Broken down by industry, the sectors with the highest 
percentage of codebases that contained open 
source license conflicts (86%) were the energy and 
clean tech sector and the manufacturing, industrials, 
robotics sector. The retail and e-commerce sector 
had the lowest percentage of codebases with open 
source license conflicts at 47%. 


Percentage of Codebases With License Conflicts 


85% 





2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | © 


© 
= 
“ 
Z 
LJ 
= 
—l 





Understanding license risk 


According to copyright law, using software in any 
way requires permission in the form of a license 
describing the rights conveyed to users and the 
obligations users must meet. Even the friendliest 
open source licenses include obligations the user 
takes on in return for use of the software. 


Open source license litigation (including those for 
copyright, contract, antitrust, patenting, and fair 
use) is on the rise around the world. Potential 
license risk arises when a codebase includes open 
source with licenses that appear to conflict with the 
overall license of the codebase. The most common 
example of this is open source code under the GNU 
General Public License v2.0 (GPLv2), which often 
creates a conflict when compiled into a distributed 
piece of commercial software. But the same code 
isn't a problem in software considered software as 
a service (SaaS), because the GPL doesn't consider 
SaaS code to be “distributed.” This isn't to imply that 
SaaS software is immune from license conflicts; 
some licenses can be problematic for SaaS as well. 


Percentage of Codebases With Licensing Conflicts, by Industry 
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Aerospace, Aviation, Automotive, 


Transportation, Logistics 


ia __ Big Data, Al, Bl, Machine Learning 


Lo : : Computer Hardware 
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|————~| Ed Tech 
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/ / / Energy 
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7 a \ e 7 / Tech 
€ 
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Enterprise 
Software/SaaS 
Financial Services 
7 i. and FinTech 
Internet and Healthcare, 
Software Health Tech, Life 
Infrastructure Sciences 


Sometimes an open source component has a so- Percentage of Codebases Containing Open Source With No License or Custom License 
called “custom license’ in which the developer used - 
their own licensing language or added language to ” 
a Standard license. Such license additions are often 
well-intentioned but can raise concerns, especially in 
merger and acquisition transactions. 


© 
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“ 
Z 
LJ 
= 
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Whether open source or not, if third-party code 
doesnt have a license, serious legal issues can arise. 
In the U.S. and many other jurisdictions, creative 
work—including software—is placed under exclusive 
copyright by default. Unless there's a license that 
specifies otherwise (or the copyright holders grant 
permission), no other party can use, copy, distribute, 
or modify the software without the risk of litigation. 


33% 


26% 
29% 
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OPEN SOURCE SUSTAINABILITY Percentage of Codebases Containing Components That Have Had No Development Activity 


. Within the Past Two Years 
Of the 1,500+ codebases examined by Black 


Duck Audit Services in 2020, a staggering 91% 
contained open source dependencies that had 

had no development activity in the last two years. 
That figure means 91% of the codebases audited 
contained dependencies with no feature upgrades, 
no code improvements, and no security issues fixed 
over the past two years. 
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One of the reasons behind the popularity of open 

source is the volunteer communities continuously 

updating code and addressing vulnerabilities. 91% 
Software developer and author Eric Raymond calls 

this Linus’s Law in action: with many eyes looking at 

code, “all bugs become shallow.” A Purdue University 

study showed that Linus’s Law does work*—open 90% 

source communities regularly issue patches faster 
than their proprietary software counterparts. But 
there's no guarantee that the volunteer community 
behind any given open source project will continue 
maintaining the code indefinitely or that the 
community will continue to have members who are 
knowledgeable about the project's code. 


85% 
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THE PRICE OF POPULARITY 


When an open source library becomes popular, 

the price is increased pressure on its (usually 

7a} ox-1(e) Maat=liaut=llal=1esteenl Ual=m L-Yo)e)(-M\Z aren ars lare| (=m elele] 
reports, feature requests, code reviews, and code 
commits for the free software. It's not unusual for 
the maintainers to be a solo developer—a “random 
person from Nebraska,’ as the popular xkcd internet 
(ofo)n a) (om at-home 


That random person is often the only bulwark 

0] 9) oe) a di alemmaal=1imu 9)(-1ex-me) maal- Me) 0l-1p myo) 0] pex~ 
Tavigcksyiae(e1s0la-m vats) manteye(=/samcxe)anr-]c-me(=)0\-1ale(ome)ap 
As an open source project grows in popularity—with 
iatomeoxo)ac=s<j oXe)ale|/ale meine) ana Wlam ex-xe)e)(-Maar-liair-lialiare 
the project—the consequence is often developer 
burnout, and many open source projects are 
abandoned. The problem is severe enough that 
The Core Infrastructure Initiative was created to 

(2Y a¥=] 0) (ma k=1ev a] ale) (oye \yaexe)an) oy-Val=xsmce exe) f=] ele) r-10NV{=1 NV 

Ke {Vai quavarslalemmae) ale me) e\-1amcvol0] cei-m 0) ce) (-\e1ecmigt-lar- come 
need of assistance, while still allowing developers 
Comore) aid) alel=miar=yimce)q @elare(-)maal-mexe)anlanlllaliamale)anars 
that have made open source so successful. 
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Eighty-five percent of the codebases Black Duck 


Audit Services examined in 2020 had open source | ~Y 
dependencies that were more than four years out- 
of-date. That is, the codebases were using an open 
source library with newer versions available—often 
with many newer versions available. As noted earlier, 
its clear that development teams are struggling to 
keep their open source dependencies up-to-date. WZ 
o— Re) 


Returning to the lodash vulnerability mentioned 
in the “Top 10 vulnerabilities” section, 29% of the 
codebases in both the 2020 and 2019 audits 


contained CVE-2019-10744, even though an upgrade O F A u D | T E D 


of the library that addresses the vulnerability has 


been available since July 2019. Did the developers C () [) 5 BR AS 5 S 


determine that the risk was low enough to put off 


an update? Was their thinking “if it ain't broke, don't C C) Ni TA | N : [) () Dp : N 


fix it"? Were they even aware of the version of the 


dependencies their applications call on? Postponing SOURCE COMPONENTS 


a dependency update for six months to a year may 


be justifiable, but what are we to make of the 85% of y H AT W : R 5 M C) R : 


audited codebases with open source libraries more 


than four years behind the latest versions? THAN FOUR YEARS 
QU T-OF-DATE 
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THE PETER PARKER PRINCIPLE 


“With great power comes great responsibility.” 
—anon., often attributed to Stan Lee 


How does it feel to be part of a revolution? As the 
data in the 2021 OSSRA report demonstrates, it's 
rare today to find an application that isn't dependent 
on the power of open source. Not only is more 

open source in use, but more developers are writing 
open source. The 2020 FOSS Contributor Report 
sponsored by the Linux Foundation notes that nearly 
half of respondents to its survey were being paid 

by their organizations to contribute to open source 


projects.* A CyRC survey (“DevSecOps Practices 


and Open Source Management in 2020”) indicates 
that the majority of organizations in the business 


of building software—65%—have policies in place 
allowing their developers to contribute to open 
source projects. 


As this report has stated, paralleling the growth of 
open source is a growth in risk—specifically around 


open source security, code quality, and sustainability. 


Part of the reason is that the increased use of open 
source makes managing a dynamic, changing risk 
landscape more difficult. To meet the challenge, 
development teams need to have reliable and timely 
vulnerability information, a comprehensive inventory 
of the open source dependencies their software 
uses, accurate guidance on vulnerability severity and 
exploitability, and clear direction on how to patch the 
affected open source. 
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Does your organization have a published 
policy for its developers to make open source 
contributions? 


(“‘DevSecOps Practices and Open Source Management in 
2020” survey) 
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Mistakes versus malice 


Although malicious attacks tend to steal the 


(>) COVERITY SCAN DATA 
spotlight in the media, code flaws introduced by 


mistake can be just as disruptive and are much more \) 
@ 


likely to impact open source projects. According to 
the “2020 State of the Octoverse’ report, 83% of the 
vulnerabilities that GitHub sent alerts on from 2019 
through 2020 were due to coding errors rather than 
malicious intent.’ 


If most attacks exploit unintentional vulnerabilities in 
code, preventing these unintentional vulnerabilities 
becomes all the more crucial. One strategy 

is to educate developers on secure software 
development. Free courses from OpenSSF are 
available on edX, and many software security 
companies such as Synopsys offer commercial 


application security eLearning courses. 


Encouraging the use of detection tools such as 
static analysis before code commit is another 
means to reduce open source coding errors. Static 
analysis examines source code against a set of 
coding rules to uncover common coding errors. 
Synopsys offers a free static analysis service for 
open source developers who have registered their 
projects with scan.coverity.com. Coverity Scan is 
powered by the same engine used by Synopsys’ 
commercial Coverity static analysis tool to help 
identify code defects for fast and easy remediation. 
Respondents to the Linux Foundation survey 
“overwhelmingly cited Coverity Scan and clang 
security checkers” as the primary static analysis 
tools they use.® The next page details a case study 
on how Coverity Scan helps ensure code quality and 
security for NGINX Open Source. 


Weis. Pouters 


[== SCANNED 


yl i BILLION LINES 
ay = GF-COpE 


SCANNED 


Top 10 defects/vulnerabilities found in the scans 


Uninitialized variables 
Cross-site scripting 

Extra argument error in call 

Insecure data handling 
Uncaught exception 


Resource leaks 
Null pointer dereferences 
Memory corruptions 
Error handling issues 
Control flow issues 
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NGINX OPEN 
10] 0] {64 = 


A Coverity Scan 
Case Study 





@) 


One of the world’s most widely used web servers— 
powering sites such as Netflix, Hulu, Pinterest, and 
GitHub—NGINX Open Source (pronounced “engine 
x”) is known for its high performance, stability, rich 
feature set, simple configuration, and low resource 
consumption. Other members of the NGINX Open 
Source family include NGINX JavaScript (njs), 
reWmaarelel0| (mle le) ale mer-\\z- hover |9)mcJ0] 0) ole) mrOm NICTIND.S 
relate NLCTIND GLO] ay ious meh Zar-laalcem-]0)e)|ler-ldle)amsy-1aU-1 5 
supporting applications written in Perl, Python, 
Ruby, Node.js, Go, Java, and PHP njs. 


Developers for all three NGINX Open Source 
projects use Coverity Scan® to find and fix defects 
in their code. A free online service provided by 
Synopsys and powered by the same engine used by 
Synopsys commercial Coverity static analysis tool, 
Scan helps open source developers identify code 
defects for fast and easy remediation. 


“| have a strong belief in the power of open 

source,’ said Igor Sysoev, the software's author and 
(oto) Kol0 are(=)me) MN LC1IN Dal am- AON asl ait=) AU (=\)\A N LCTIN DLS 
was an experiment focused on a very specific 
problem—how to handle more customers on a 
single, existing server. It turned out to be a universal 
problem. As soon as | realized NGINX really helps to 
improve web performance, | wanted people to use it, 
so | made it open source.” 


A web server that can also be used as a reverse 
proxy, load balancer, mail proxy, and HTTP cache, 
the open source version of NGINX powers more 


than 400 million websites. Sysoev cofounded 
NTCTIND. Gia 740 it I coms 9) go) (6(- mre) sant-]m<10] 9) 0Le) ame) m NICTIND,< 
(©) oX=1pmesyo) 0] cer-m-]alemcome)nc-\ar- mere) anlaat-lcell-|MV(-165)(0)0 8 
NGINX Plus, which adds enterprise-grade features 
Kom NLCTIND, 0) ol-laeelelel cern 


INTCTIND GZ: Koar- exe [0] [x10 mo) al atom \(-1A)0) 8 ¢syar-]amr-] 0) 8) |Ler-halola 
security and delivery company, in 2019. Today, the 
INTCTIND Gir Tanti \eyime) 1-1 a esvol 0] ner-m 0) xe) {-Lo1 kom [ale (e(- alice 

rem naretel0|(-m-le lel | alemer-h’c-boxeng|9)m<10] 6) ole) mcom \IClIND.@r-lale! 
NTCTIND GU lalien-eh'/ar-lnal(om-]e) 9) Irer-1tleamst-)aV-1 6 


BM at-We)ce)e)(-\n0 em aarciela lave Me) L-lamcvelllcex-Mexele (= 
quality and security 


“We integrated Coverity Scan into our Cl/CD 
pipeline soon after establishing NGINX,’ said Maxim 
Xo) alo)vZ=](@\ Ao] a= Me) mma al= oxo) an] ey-lalacmere) cele /ale(-)acw-1are 
now VP of engineering. “We've been submitting 
NGINX build artifacts daily since 2012.” 


“In many cases, NGINX acts as an internet front 
end,’ continued Konovalov. “Its security and stability 
are essential to its users. My team is passionate 
about code quality and are always looking for best 
practices and tools to help us improve it. Static 
code analyzers such as Coverity Scan provide a 
great help to us.” 


NGINX takes its role as a foundational technology 
to millions of apps and websites very seriously. 
Code quality and security are part of its ethos, and 
the tools that help support that mission are integral 
to its development practices. 


The solution: Static code analysis with 
Coverity Scan 


(@foyalie-lava vom oxe)9)01(-]me)e)[alre)anmnaleysimsveyaayr-la= 
vulnerabilities are the result of coding mistakes, 
not malicious attacks. According to the “2020 
State of the Octoverse” security report, 83% of the 
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“High-impact” outstanding defects 
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vulnerabilities that GitHub sent alerts on from 2019 
lip} ce)ele la WAC VAM i-1¢-mel6(-mcomeroleliale M=1ace)ecme-lial-lmcar-l a 
malicious intent. 


SU} Mant] (elle lswr-1ut-(e1.<ome (OM =)40) (0) 1 mire) Mla merele(-ar-l ale 
(o{=\V=) (0) 0-1 al =i=10 Mi (OM=10018) ¢-[er-m 8) ger-(e1ehome(=1K-\e1t (ele 
tools to uncover bugs in the code they write. Static 
ATI NASI) @- lanl alaxsuesvel0| nex>mexeye(-¥-le[-llalsiar- S110) i 
(ofolel| ale Mm abl(-tsmcome] alexe)yc-) more) palanve)amexeye||alem=)ane ese 


BA aC-M c= posed MOLOLOM I a(-tomeoymexele(- Myer: Ta lat=re| 
with a defect density of 0.02% 


In the January 2021 Coverity Scan of a NGINX build, 
658,665 lines of code were analyzed, and various 
(ofole{=Mel-1i-\e1 km0 | alexe)V.-1 c-1e Pale ULelTave maw (em @n\ =m Ke) 8) 

25 defects. Thanks to F5’s regular use of Coverity 
SYor-] amt alo LC1IND,@# 8) x0) (=\e1m al-lswr- me (=1 (cron me l=) a0s]1AV/ 

((aTUTan) of-Yexo) me (-¥i-Vo1 tom of-1am OL0L0 Il ai-tomeymorele(-) Moy melal\Y 
0.02%. 


“Coverity Scan provides an invaluable service to 

us, says Maxim Konovalov. “I regularly recommend 
Coverity Scan and its ability to provide specific defect 
XM [amexolel=mexe)anlaaliccmm-\aleM(amr-(e1em Mank-Wanl:1p0)e\-1me) i 
the FreeBSD committers group, and we use Coverity 
Scan for code analyses of FreeBSD as well.” 
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Create demand for a Bill of Materials 


The concept of a software Bill of Materials (BOM) 
comes from manufacturing, where the classic 
BOM Is an inventory detailing the items included 
in a product. When a defective part is discovered, 
the manufacturer knows precisely what product 
is affected and can begin the process of repair or 
replacement. 


While still a new concept to many, the demand 

for open source BOMS is growing. In its 2020 

Magic Quadrant for Application Security Testing, 
Gartner predicted, “By 2024, the provision of a 
detailed, regularly updated software Bill of Materials 
by software vendors will be a non-negotiable 
requirement for at least half of enterprise software 
buyers, up from less than 5% in 2019." 


If software vendors can anticipate that their 
enterprise customers will require a software BOM, 
it’s fair to anticipate the same for the open source 
projects the software depends upon. For many 
projects this can be done, at least in part, by package 
management information that identifies direct 

and indirect dependencies. Software composition 
analysis tools can use this information to create 
more complete (specific versions, license, etc.) BOM 
information. 


Open source consumers should expect that 

many projects—especially those with few active 
contributors—wont be ready to provide BOMSs. This 
may be the perfect opportunity for companies that 
depend on open source projects to help develop and 
maintain the project's BOM. 
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Coda 


Whether you believe it was Voltaire or Peter Parker's 
Uncle Ben who first said, “with great power comes 
great responsibility, you cant deny the proverb's 
accuracy. As part of the open source ecosystem we 
all share in its power—and we all share responsibility 
to keep open source safe and secure. It's time we 
exercise Our power as developers and consumers of 
open source and take on the shared responsibility of 
maintaining open source quality and security. 
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FURTHER READING 


Backstabber’s Knife Collection: A Review of 


Open Source Software Supply Chain Attacks 
Dependency Confusion: How | Hacked 

Into Apple, Microsoft and Dozens of Other 
Companies 

DevSecOps Practices and Open Source 
Management in 2020 


Finding Critical Open Source Projects (Google 
blo 


- Related: Finding Critical Open Source 
Projects (Top 10 list) 


Get earlier, actionable vulnerability insights 
from Black Duck Security Advisories 

How the Linux Foundation’s Software Signing 
Combats Supply Chain Attacks 


- Related: What is sigstore? 


Know, Prevent, Fix: A framework for shifting 
the discussion around vulnerabilities in open 
source 

Open source licenses: No license, no 
problem? Or ... not? 


OpenSSF: Secure Software Development 
Fundamentals Courses 


Peril in a Pandemic: The State of Mobile 


Application Security 

Preventing Supply Chain Attacks like 
SolarWinds 

TANSTAAEL! The tragedy of the commons 


meets open source software 
What is a software bill of materials? 
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The Synopsys difference 


Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recog- 
nized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly 
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tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development 
life cycle. 


About CyRC 


The Synopsys Cybersecurity Research Center (CyRC) works to accelerate access to information around the identification, severity, exploitation, mitigation, 
and defense against software vulnerabilities. Operating within the greater Synopsys mission of making the software that powers our lives safer and of 
the highest quality, CyRC helps increase awareness of issues by publishing research supporting strong cybersecurity practices. For more information, go 


Ke) www.synopsys.com/software. 
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